From a825b853634714bfad5ecee0acdc2942209828c2 Mon Sep 17 00:00:00 2001
From: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Date: Fri, 1 Nov 2024 13:05:13 +0100
Subject: [PATCH] signing.bbclass: add certificate ca-chain handling

Add handling of ca-chains which can consist of more than one
certificate in a .pem file, which need to be split off, processed and
stored separately in the softhsm - as the tool-chain
signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert'
only supports one-per-file, due to using/expecting "plain" x509
in-/output.

The added signing_import_cert_chain_from_pem function takes a <role>
basename, and iterates through the input .pem file, creating numbered
<role>_1, _2, ... roles as needed.

Afterwards the certificates can be used or extracted one-by-one from
the softhsm, using the numbered roles; the only precondition - or
limitation - is that the PKI structure has to be known beforhand;
e.g. how many certificates are between leaf and root.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-oe/classes/signing.bbclass | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index f52d861b76..7fd167d937 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -129,6 +129,36 @@ signing_import_cert_from_der() {
     signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
 }
 
+# signing_import_cert_chain_from_pem <role> <pem>
+#
+
+# Import a certificate *chain* from a PEM file to a role.
+# (e.g. multiple ones concatenated in one file)
+#
+# Due to limitations in the toolchain:
+#   signing class -> softhsm -> 'extract-cert'
+# the input certificate is split into a sequentially numbered list of roles,
+# starting at <role>_1
+#
+# (The limitations are the conversion step from x509 to a plain .der, and
+# extract-cert expecting a x509 and then producing only plain .der again)
+signing_import_cert_chain_from_pem() {
+    local role="${1}"
+    local pem="${2}"
+    local i=1
+
+    cat "${pem}" | \
+        while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do
+            signing_import_define_role "${role}_${i}"
+            signing_pkcs11_tool --type cert \
+                                --write-object  ${B}/temp_${i}.der \
+                                --label "${role}_${i}"
+            rm ${B}/temp_${i}.der
+            echo "imported ${pem} under role: ${role}_${i}"
+            i=$(awk "BEGIN {print $i+1}")
+        done
+}
+
 # signing_import_cert_from_pem <role> <pem>
 #
 # Import a certificate from PEM file to a role. To be used